Australia’s new telecom bill allowing law enforcement access to encrypted messages (like WhatsApp) could backfire

  • In Australia, companies that provide encrypted products and services are required to provide access to law enforcement under a new law recently passed by the nation’s Senate
  • The legislation adds up to inserting means of access in encrypted services which may end up creating vulnerabilities that could be exploited by hackers
PUBLISHED : Sunday, 23 December, 2018, 12:02pm
UPDATED : Sunday, 23 December, 2018, 10:15pm

The Australian Senate’s last piece of business for 2018 was to hurriedly pass the Telecommunications and Other Legislation (Assistance and Access) Bill before the end of the year.

Among the new powers, is the power to issue technical capability notices to companies that provide encrypted products and services to require them to ensure their systems would allow exceptional access for law enforcement and/or intelligence agencies.

This follows a statement from the Five Country (Australia, New Zealand, Canada, UK, US) Ministerial in August 2018, that “should governments continue to encounter impediments to lawful access to information … we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.

Australia is not the first country to pursue this approach. The UK has a similar power in its Investigatory Powers Act 2016, and the US has brought cases against companies like Apple and Facebook asking courts to order they modify their systems.

Inserting means of access in encrypted services creates new vulnerabilities that could be exploited by attackers, not just by law enforcement and intelligence agencies. While circumventing the use of encryption might seem like an answer – legal measures to bypass encryption simply undermine it and the trust users have in the security of their messages and data. Further, criminals and terrorists would simply seek out “underground” encryption services or make their own, effectively avoiding the outcome governments are hoping to achieve.

Companies that are asked to provide exceptional access might turn off end-to-end encryption, deactivate “encryption on by default”, disable smartphone “kill switches” or take away users’ sole ability to decrypt their smartphones. These are the very features that have vastly improved security and privacy for millions of users throughout the Asia-Pacific region.

Even if the encryption is not affected, if law causes companies to provide exceptional access by modifying other systems or by failing to choose stronger security mechanisms, the security and confidentiality of users’ encrypted content is still at risk.

The security of communications depends not only on the strength of encryption, but also the security of other systems used to provide those encrypted services.

The question is, now that Australia has passed this legislation, what will the rest of the Asia-Pacific region do?

Already the Asia-Pacific region is a patchwork of different approaches to encrypted user services, especially when it comes to end-to-end encryption. For example, China reportedly blocks WhatsApp and convinced Apple to remove VPNs from its App Store. Some months ago, the Indian Ministry of Electronics and IT reportedly asked WhatsApp to change its system, which would have meant breaking its end-to-end encryption. WeChat only uses transport encryption – reportedly to comply with Chinese law.

Theft, misuse and surveillance of digital information are real and ever-present threats. Encryption and other digital technologies that help secure data are critical in protecting online communications and data. We must be wary of breaking security for everyone, to pursue a few.

By weakening the security of encrypted services in these ways, countries could change the course of digital security, putting the strength of their digital economies in jeopardy and exposing their citizens to greater risk from security threats.

Australia, and other countries in the region, should also be concerned about the longer-term effects these kinds of approaches have on the growth of their economies. For instance, if the internet is going to “boost the Australian economy by A$140 billion (US$99.3 billion) to A$250 billion over the next eight years,” as the Australian Minister for Industry, Innovation and Science Arthur Sinodinos has estimated, then encryption and strong security will need to be at the heart of it.

Alongside fierce competition from foreign competitors, local tech companies may face suspicion when engaging in overseas markets. In some cases, suspicion could lead to outright exclusion from the market. For instance, due to perceived national security concerns, Huawei has been blocked from deploying 5G in several countries, including Australia and New Zealand.

Encryption is a vital component in protecting the new digital businesses that will shape Asia-Pacific’s future, and the people who use them. If countries in the region wish to become world leaders in digital innovation, there is no room for weakening the security of digital systems.

Stronger, not weaker, encryption is needed

The Asia-Pacific region has the potential to enjoy the benefits the internet has to offer. But we cannot and should not allow concerns about access to undermine the value that encryption provides in securing data and protecting our communications. Undermining encryption will only leave us less secure, not more.

Christine Runnegar is the senior director of internet trust at the Internet Society